Search in array after JSON extractor

Hello,

I have a task to parse and search in json logs properly. I read this manual and it’s working good as described:
http://docs.graylog.org/en/3.0/pages/extractors.html#using-the-json-extractor

So now I have a field details_tags with data: one, two, three, but I have literally no idea how can I search, for example all logs with details_tags field contains two.

Could you please tell me, if there is any way to search in this ‘array’-field by values?

Also I’ll be very grateful for some specs on this theme.

Thank you a lot in advance!

As far as I understand after some research:

  1. GELF format does not support arrays.
  2. Json extractor cannot properly extract array from a field: https://github.com/Graylog2/graylog2-server/issues/6006
  3. The result from the default example array - one, two, three - is just a string. So for my case, the only way to search some value, like two, is to enable allow_leading_wildcard_searches and then use search query like this *two*?

Please advise me if I’m right or not. I am ok with negative result, I just will be glad for confirmation to move on.

If my topic doesn’t clear I’ll try to explain my idea better, please let me know.

Thank you.

I don’t know about extracting JSON arrays but for your 3rd point you can use a regex to search without the need to enable allow_leading_wildcard_searches:
field:/.*?two.*?/

1 Like

Thank you for your help, frantz! This is useful for my case.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.